Some New Musical Scenes on the Second Hittite Relief Vase (Tayfun Yildirim)
QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun...
-
Upload
ashton-leatherbury -
Category
Documents
-
view
214 -
download
1
Transcript of QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun...
![Page 1: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/1.jpg)
QED: A Simplifier for Concurrent Programs
Shaz Qadeer Microsoft Research
Joint work with Tayfun Elmas Ali Sezgin Serdar Tasiran
![Page 2: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/2.jpg)
Reliable concurrent software?• Concurrency results in Heisenbugs– non-deterministic, timing dependent– data corruption, crashes– difficult to detect, reproduce, eliminate
• Correctness problem– does program behave correctly for all inputs and all interleavings?
![Page 3: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/3.jpg)
P satisfies S
Undecidable problem!
![Page 4: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/4.jpg)
P satisfies S
Assertions: Provide contracts to decompose problem into a collection of decidable problems• pre-condition and post-condition for each procedure• loop invariant for each loop
![Page 5: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/5.jpg)
int t;
L0: acquire(l);
L1: t := x;
L2: t := t + 1;
L3: x := t;
L4: release(l);
L5:
pre x=c;
post x=c+2;
int t;
M0: acquire(l);
M1: t := x;
M2: t := t + 1;
M3: x := t;
M4: release(l);
M5:
A B
B@M0x=c, B@M5x=c+1
B@M0x=c, B@M5x=c+1, held(l, A)
B@M0x=c, B@M5x=c+1, held(l, A), t=x
B@M0x=c, B@M5x=c+1, held(l, A), t=x+1
B@M0x=c+1, B@M5x=c+2, held(l, A)
B@M0x=c+1, B@M5x=c+2
A@L0x=c, A@L5x=c+1
A@L0x=c, A@L5x=c+1, held(l, B)
A@L0x=c, A@L5x=c+1, held(l, B), t=x
A@L0x=c, A@L5x=c+1, held(l, B), t=x+1
A@L0x=c+1, A@L5x=c+2, held(l, B)
A@L0x=c+1, A@L5x=c+2
Invariant problem
![Page 6: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/6.jpg)
int t;acquire(l);t := x;t := t + 1;x := t;release(l);
Abstraction problem
int t;t := x;t := t + 1;x := t;
x := x+1
??
![Page 7: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/7.jpg)
int t;
L0: acquire(l);L1: t := x;L2: t := t + 1;L3: x := t;L4: release(l);L5:
pre x=c;
post x=c+2;
int t;
M0: acquire(l);M1: t := x;M2: t := t + 1;M3: x := t;M4: release(l);M5:
Intuitive reasoning with atomic actions
![Page 8: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/8.jpg)
int t;
atomic { L0: acquire(l); L1: t := x; L2: t := t + 1; L3: x := t; L4: release(l);}L5:
pre x=c;
post x=c+2;
int t;
atomic { M0: acquire(l); M1: t := x; M2: t := t + 1; M3: x := t; M4: release(l);}M5:
Intuitive reasoning with atomic actions
B@M0x=c, B@M5x=c+1
B@M0x=c+1, B@M5x=c+2
A@L0x=c, A@L5x=c+1
A@L0x=c+1, A@L5x=c+2
![Page 9: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/9.jpg)
pre x=c;
post x=c+2;
atomic { x := x + 1; }
Intuitive reasoning with atomic actions
atomic { x := x + 1; }
![Page 10: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/10.jpg)
pre x=c;
post x=c+2;
atomic { x := x + 1; }atomic { x := x + 1; }
Intuitive reasoning with atomic actions
Verify using sequential methods!
![Page 11: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/11.jpg)
• Do not verify the original program• Instead, simplify the program• Verify the program once it is simple enough
QED
I0,P0 I1,P1 I2,P2 I3,P3
I,PInvariant Program text
• Simplified program has simpler invariants• Abstraction of a program is another program
![Page 12: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/12.jpg)
procedure Write(int a, int d) { atomic { m[a] := d; }}
procedure Snapshot(int a, int b, out int da, out int db) { atomic { da := m[a]; db := m[b]; }}
Atomic snapshotint[] m;
![Page 13: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/13.jpg)
procedure Write(int a, int d) { atomic { m[a].d := d; m[a].v := m[a].v+1; }}
procedure Snapshot(int a, int b, out bool s, out int da, out int db) { int va, vb;
atomic { va := m[a].v; da := m[a].d; } atomic { vb := m[b].v; db := m[b].d; } s := true; atomic { if (va < m[a].v) { s := false; } } atomic { if (vb < m[b].v) { s := false; } }}
Atomic snapshotclass VersionedInteger { int v; int d; } VersionedInteger[] m;
![Page 14: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/14.jpg)
QED-simplified atomic snapshot
procedure Write(int a, int d) { atomic { m[a].d := d; m[a].v := m[a].v+1; }}
procedure Snapshot(int a: int, int b, out bool s, out int da, out int db) { atomic { havoc s, da, db; if (s) { da := m[a].d; db := m[b].d; } }}
class VersionedInteger { int v; int d; } VersionedInteger[] m;
![Page 15: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/15.jpg)
QED transformations
I,P I’,P’
1. Strengthen invariant2. Reduce program3. Abstract program
![Page 16: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/16.jpg)
Rule 1: Strengthen invariant
I,P I’,P
I’ I
![Page 17: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/17.jpg)
Rule 2: Reduce program
atomic { A ; B }atomic { A } ; atomic { B }
I,P I,P’
![Page 18: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/18.jpg)
S1 S2 S3
acquire y
S1 T2 S3
acquirey
S1 T2 S3
release x
S1 S2 S3
releasex
Right and left movers (Lipton 1975)
int owner;
procedure acquire() { atomic { assume owner == 0; owner := tid; }}
procedure release() { atomic { assert owner == tid; owner := 0; }}
Lock
![Page 19: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/19.jpg)
S0. S5
R* N L*x Y. . .
S0. S5
R* N L*x Y. . .
Reduction theorem
Sequence R*;(N+); L* is atomic
![Page 20: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/20.jpg)
Rule 3: Abstract program
atomic { A } atomic { B }
I,P I,P’
From each state x in I, if A can go to y then B can also go to y
![Page 21: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/21.jpg)
21
QED tool
reduceabstract
.....reducecheck
[http://qed.codeplex.com]
QED
Correct
...P1 PnP2
P1
Pn
![Page 22: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/22.jpg)
QED-verified examples
• Fine-grained locking– Linked-list with hand-over-hand locking [Herlihy-Shavit 08] – Two-lock queue [Michael-Scott 96]
• Non-blocking algorithms– Bakery [Lamport 74] – Non-blocking stack [Treiber 86]– Obstruction-free deque [Herlihy et al. 03]– Non-blocking stack [Michael 04]– Writer mode of non-blocking readers/writer lock [Krieger et al. 93] – Non-blocking queue [Michael-Scott 96] – Synchronous queue [Scherer-Lea-Scott 06]
![Page 23: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/23.jpg)
QED transformations
I,P I’,P’
• Strengthen invariant• Abstract program• Reduce program
The rules are symbiotic:• Abstraction enables reduction• Reduction enables abstraction• Program simplification enables simpler invariants
Together these rules are surprisingly powerful!
![Page 24: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/24.jpg)
Two examples
• Atomic snapshot– Abstraction enables reduction
• Spin lock– Program simplification yields simpler invariants
![Page 25: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/25.jpg)
Atomic Snapshot
![Page 26: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/26.jpg)
class VersionedInteger { int v; int d; } VersionedInteger[] m;
procedure Write(int a, int d) { atomic { m[a].d := d; m[a].v := m[a].v+1; }}
procedure Snapshot(int a, int b, out bool s, out int da, out int db) { int va, vb;
atomic { va := m[a].v; da := m[a].d; } atomic { vb := m[b].v; db := m[b].d; } s := true; atomic { if (va < m[a].v) { s := false; } } atomic { if (vb < m[b].v) { s := false; } }}
![Page 27: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/27.jpg)
class VersionedInteger { int v; int d; } VersionedInteger[] m;
procedure Write(int a, int d) { atomic { m[a].d := d; m[a].v := m[a].v+1; }}
procedure Snapshot(int a, int b, out bool s, out int da, out int db) { int va, vb;
atomic { havoc va, da; assume va <= m[a].v; if (va == m[a].v) { da := m[a].d; } } atomic { havoc vb, db; assume vb <= m[b].v; if (vb == m[b].v) { db := m[b].d; } } s := true; atomic { if (va < m[a].v) { s := false; } if (s) { havoc s; } } atomic { if (vb < m[b].v) { s := false; } if (s) { havoc s; } }}
Left Mover
Right MoverRight Mover
Left Mover
![Page 28: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/28.jpg)
class VersionedInteger { int v; int d; } VersionedInteger[] m;
procedure Write(int a, int d) { atomic { m[a].d := d; m[a].v := m[a].v+1; }}
procedure Snapshot(int a, int b, out bool s, out int da, out int db) { int va, vb;
atomic { havoc va, da; assume va <= m[a].v; if (va == m[a].v) { da := m[a].d; } havoc vb, db; assume vb <= m[b].v; if (vb == m[b].v) { db := m[b].d; } s := true; if (va < m[a].v) { s := false; } if (s) { havoc s; } if (vb < m[b].v) { s := false; } if (s) { havoc s; } }}
![Page 29: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/29.jpg)
class VersionedInteger { int v; int d; } VersionedInteger[] m;
procedure Write(int a, int d) { atomic { m[a].d := d; m[a].v := m[a].v+1; }}
procedure Snapshot(int a, int b, out bool s, out int da, out int db) { int va, vb;
atomic { havoc va, da, vb, db, s; if (s) { va := m[a].v; da := m[a].d; vb := m[b].v; db := m[b].d; s := true; } }}
![Page 30: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/30.jpg)
class VersionedInteger { int v; int d; } VersionedInteger[] m;
procedure Write(int a, int d) { atomic { m[a].d := d; m[a].v := m[a].v+1; }}
procedure Snapshot(int a, int b, out bool s, out int da, out int db) { atomic { havoc da, db, s; if (s) { da := m[a].d; db := m[b].d; } }}
Hide va, vb
![Page 31: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/31.jpg)
Spin Lock
![Page 32: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/32.jpg)
bool held;
procedure acquire() { while (true) { if (CAS(held, false, true)) { break; } }}
procedure release() { held := false;}
int owner;
procedure acquire() { atomic { assume owner == 0; owner := tid; }}
procedure release() { atomic { assert owner == tid; owner := 0; }}
![Page 33: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/33.jpg)
bool held;int owner;
procedure acquire() { while (true) { if (CAS(held, false, true)) { owner := tid; break; } }}
procedure release() { atomic { assert owner == tid; owner := 0; held := false; }}
![Page 34: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/34.jpg)
bool held;int owner;
procedure acquire() { while (*) { assume held != false; } atomic { assume held == false; held := true; } owner := tid;}
procedure release() { atomic { assert owner == tid; owner := 0; held := false; }}
![Page 35: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/35.jpg)
bool held;int owner;
procedure acquire() { while (*) { assume true; } atomic { assume held == false; held := true; } owner := tid;}
procedure release() { atomic { assert owner == tid; owner := 0; held := false; }}
![Page 36: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/36.jpg)
bool held;int owner;
procedure acquire() { atomic { assume held == false; held := true; } owner := tid;}
procedure release() { atomic { assert owner == tid; owner := 0; held := false; }}
![Page 37: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/37.jpg)
bool held;int owner;
procedure acquire() { atomic { assume held == false; held := true; } atomic { assert owner == 0; owner := tid; }}
procedure release() { atomic { assert owner == tid; owner := 0; held := false; }}
Left Mover
(Not Quite) Invariant: owner == 0 held == false
![Page 38: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/38.jpg)
bool held;int owner;
procedure acquire() { atomic { assume held == false; held := true; assert owner == 0; owner := tid; }}
procedure release() { atomic { assert owner == tid; owner := 0; held := false; }}
![Page 39: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/39.jpg)
bool held;int owner;
procedure acquire() { atomic { assume held == false; held := true; assert owner == 0; owner := tid; }}
procedure release() { atomic { assert owner == tid; owner := 0; held := false; }}
Invariant: owner == 0 held == false
![Page 40: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/40.jpg)
bool held;int owner;
procedure acquire() { atomic { assume held == false; held := true; assume owner == 0; owner := tid; }}
procedure release() { atomic { assert owner == tid; owner := 0; held := false; }}
![Page 41: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/41.jpg)
int owner;
procedure acquire() { atomic { assume owner == 0; owner := tid; }}
procedure release() { atomic { assert owner == tid; owner := 0; }}
Hide held
![Page 42: QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.](https://reader036.fdocuments.in/reader036/viewer/2022070307/551b0e7155034607418b51b0/html5/thumbnails/42.jpg)
Conclusions
• QED: A simplifier for concurrent programs– Do not verify the original program– Instead, simplify the program– Verify the program once it is simple enough
• Other applications– Concurrency testing – Programmer-assisted parallelization